Security firm Symantec says it has found a flaw in the Android apps for WhatsApp and Telegram, which could allow hackers to "manipulate" files transferred between users.
According to a Symantec blog published Monday, the flaw relates to the fact that the messaging apps can save files such as photos or videos automatically to your phone's gallery or external storage. This is something WhatsApp does automatically unless a user opts out in the settings. Telegram users can enable the feature.
The flaw comes in if a user happens to also have malware on their device that has access to and can alter the phone's external storage. It would allow hackers to intercept media files being sent between users and potentially alter them. Symantec terms the attack "Media File Jacking."
One example given by Symantec is that a hacker could intercept and alter a photo. Here is a video of how a hacker could modify an image, replacing the faces of the people in the photo with actor Nicolas Cage.
"While this attack may seem trivial and just a nuisance, it shows the feasibility of manipulating images on the fly," said Symantec.
The company added that the flaw could also be used to alter payments or voice notes. "In one of the most damaging Media File Jacking attacks, a malicious actor can manipulate an invoice sent by a vendor to a customer, to trick the customer into making a payment to an illegitimate account," said Symantec.
The company also hypothesised that the hack could be used to propagate misinformation in Telegram "channels," which are used to broadcast messages to large numbers of users.
Symantec's blog makes multiple recommendations to WhatsApp and Telegram of changes to file validation and storage to patch up the vulnerability. However, a WhatsApp spokeswoman pushed back against Symantec's suggestions.
"WhatsApp has looked closely at this issue and it's similar to previous questions about mobile device storage impacting the app ecosystem. WhatsApp follows current best practices provided by operating systems for media storage and looks forward to providing updates in line with Android's ongoing development. The suggested changes here could both create privacy complications for our users and limit how photos and files could be shared," she said.
Business Insider understands that WhatsApp hasn't found evidence of the exploit being used in the wild.
Telegram was not immediately available for comment when contacted by Business Insider.
Per WhatsApp's statement, the vulnerabilities around external storage on phones have come up before and could affect apps other than messaging services.
Symantec recommends that users can mitigate any risk by disabling their apps from saving media files to external storage. In WhatsApp you can do this by going to Settings/Chats/Media Visibility. In Telegram you can follow Settings/Chat Settings/Save to Gallery.
Symantec/Business Insider composite Here's where to disable the functions in WhatsApp (left) and Telegram.
WhatsApp's security also came under fire in May after it discovered that hackers had been installing spyware on targets' phones simply by calling them on the app.
I spent $2,000 for 7 nights in a 179-square-foot room on one of the world's largest cruise ships. Take a look inside my cabin.
One of the world's only 5-star airlines seems to be considering asking business-class passengers to bring their own cutlery
Vodafone Idea FPO allotment – How to check allotment, GMP and more
A flaw found in WhatsApp and Telegram on Android lets hackers mess with your photos, payments, and voice notesThis is the latest sign that Trump could be easing up on the United States trade ban with HuaweiHow to reset your Google Pixel to its factory settings, and then restore your data if neededEmmanuel Macron tweets wild video of a man riding a hoverboard, and hints it could be used by the French armyCopyright © 2024. Times Internet Limited. All rights reserved.For reprint rights. Times Syndication Service.
Next Story